1
From 52db90d0fa770e2277645eb34956820cec26b2cb Mon Sep 17 00:00:00 2001
2
From: Kees Cook <keescook@chromium.org>
3
Date: Sat, 25 Feb 2012 12:28:44 +1100
4
Subject: [PATCH 5/5] fs: hardlink creation restriction cleanup
6
Clean-up of hardlink restriction logic, as suggested by Andrew Morton.
8
Signed-off-by: Kees Cook <keescook@chromium.org>
9
Cc: Ingo Molnar <mingo@elte.hu>
10
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
12
fs/namei.c | 62 ++++++++++++++++++++++++++++++++++++++++++-----------------
13
1 files changed, 44 insertions(+), 18 deletions(-)
15
diff --git a/fs/namei.c b/fs/namei.c
16
index fe13533..1436fae 100644
19
@@ -693,46 +693,72 @@ static inline int may_follow_link(struct path *link)
23
+ * safe_hardlink_source - Check for safe hardlink conditions
24
+ * @inode: the source inode to hardlink from
26
+ * Return false if at least one of the following conditions:
27
+ * - inode is not a regular file
29
+ * - inode is setgid and group-exec
30
+ * - access failure for read and write
32
+ * Otherwise returns true.
34
+static bool safe_hardlink_source(struct inode *inode)
36
+ mode_t mode = inode->i_mode;
38
+ /* Special files should not get pinned to the filesystem. */
42
+ /* Setuid files should not get pinned to the filesystem. */
46
+ /* Executable setgid files should not get pinned to the filesystem. */
47
+ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
50
+ /* Hardlinking to unreadable or unwritable sources is dangerous. */
51
+ if (inode_permission(inode, MAY_READ | MAY_WRITE))
58
* may_linkat - Check permissions for creating a hardlink
59
* @link: the source to hardlink from
61
* Block hardlink when all of:
62
* - sysctl_protected_hardlinks enabled
63
* - fsuid does not match inode
64
- * - at least one of:
65
- * - inode is not a regular file
67
- * - inode is setgid and group-exec
68
- * - access failure for read and write
69
+ * - hardlink source is unsafe (see safe_hardlink_source() above)
72
* Returns 0 if successful, -ve on error.
74
static int may_linkat(struct path *link)
77
const struct cred *cred;
81
if (!sysctl_protected_hardlinks)
84
cred = current_cred();
85
inode = link->dentry->d_inode;
86
- mode = inode->i_mode;
88
- if (cred->fsuid != inode->i_uid &&
89
- (!S_ISREG(mode) || (mode & S_ISUID) ||
90
- ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
91
- (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
92
- !capable(CAP_FOWNER))
96
- audit_log_link_denied("linkat", link);
97
+ /* Source inode owner (or CAP_FOWNER) can hardlink all they like,
98
+ * otherwise, it must be a safe source.
100
+ if (cred->fsuid == inode->i_uid || safe_hardlink_source(inode) ||
101
+ capable(CAP_FOWNER))
105
+ audit_log_link_denied("linkat", link);
109
static inline int may_follow_link(struct path *link)